Udostępnij za pośrednictwem


Unable to run the NISMAP command on a DC from a non admin credentials

We had a scenario where the customer was looking for a option to run the nismap command on a DC using non admin credentials to populate entries in the auto_home NIS map.

Hence to run the nismap add command we tried delegating full control to the non admin user on the following containers:

  •       Ypserv30 and default Migrationcontainer30

Typically the NISMAP command can do the job when run using the following syntax:

Ø nismap add -a <Unix domain > -e "map entry" map-name

But in a non-admin scenario it doesn’t work and it seems that the NISMAP command wasn’t really designed keeping the delegation model and non-admin privileges in consideration.

Fortunately, a simple VBScript sample can be built to fulfill this task. To run the script as a non admin user, we still need to delegate full control on the above mentioned two containers.

You can try the script on your test environment before going to the production environment. And there would be no specific support provided on the script.

Please find the script below

'===================================================================

' DISCLAIMER:

'-------------------------------------------------------------------

'

' This sample is provided as is and is not meant for use on a

' production environment. It is provided only for illustrative

' purposes. The end user must test and modify the sample to suit

' their target environment.

'

' Microsoft can make no representation concerning the content of

' this sample. Microsoft is providing this information only as a

' convenience to you. This is to inform you that Microsoft has not

' tested the sample and therefore cannot make any representations

' regarding the quality, safety, or suitability of any code or

' information found here.

'

'===================================================================

'

' This script adds an entry to the auto_home NIS map in Active Directory

'On Error Resume Next

strNisDomain = Wscript.Arguments(0)

strEntryName = Wscript.Arguments(1)

strMapEntry = Wscript.Arguments(2)

if strEntryName = "" OR strMapEntry = "" OR strNisDomain = "" Then

          Wscript.echo "Syntax: cscript addAutoHome.vbs <nisDomain> <entryName> <mapEntry>"

          Wscript.exit

End if

strContainer = "CN=auto_home,CN=” & strNisDomain & “,CN=defaultMigrationContainer30"

' Section to attach to Active Directory

Set objRoot = GetObject("LDAP://rootDSE")

strDNS = objRoot.Get("defaultNamingContext")

Set objDomain = GetObject("LDAP://" & strDNS)

' Section to create the object

Set objOU = GetObject("LDAP://"& strContainer & "," & strDNS)

Set objEntry = objOU.Create("nisObject", "cn=" & strEntryName)

objEntry.Put "msSFU30Name", strEntryName

objEntry.Put "msSFU30NisDomain", strNisDomain

objEntry.Put "nisMapName", "auto_home"

objEntry.Put "nisMapEntry", strEntryName & " " & strMapEntry

Wscript.Echo " Adding: " & strEntryName & "..."

objEntry.SetInfo

Set objWShell = CreateObject("WScript.Shell")

Set objCmd = objWShell.Exec("ypclear.exe -d " & strNisDomain & " -h localhost auto_home")

Set objCmd = nothing

Wscript.Echo "Success: Added CN=" & strEntryName & "," & strContainer & "," & strDNS

==================================================================================